cos413day3

COS/PSA 413COS/PSA 413

Day 3

Guide to Computer Forensics and Investigations, 2e 2

AgendaAgenda

• Questions?

• Assignment 1 due

• Lab Write-ups (project 2-1 and 2-2) due next class

• Lab Recap and After Action Report

• Begin Discussion on Working with Windows and DOS Systems– Chapter 3 in 1e and Chapter 7 in 2e


Lab 1 RecapLab 1 Recap

• Always know what are going to do before you sit down at the forensics workstations– Methodical not “hack and slash”– Requires reading and prior prep

• Learn DOS– Most forensics work is down at low levels (not GUI) – http://www.glue.umd.edu/~nsw/ench250/dostutor.ht

m• Have part of the lab report started before the lab

– Know what it is you are looking for

http://www.glue.umd.edu/~nsw/ench250/dostutor.htm

http://www.glue.umd.edu/~nsw/ench250/dostutor.htm

Guide to Computer Guide to Computer Forensics and Forensics and Investigations Investigations

Chapter 3Working with Windows

and DOS Systems


ObjectivesObjectives

• Understand file systems

• Explore Microsoft file structures

• Examine New Technology File System (NTFS) disks


Objectives (continued)Objectives (continued)

• Understand the Windows Registry

• Understand Microsoft boot tasks

• Understand MS-DOS startup tasks


Understanding File SystemsUnderstanding File Systems

• Understand how OSs work and store files

• CompTIA A+ certification

• File system– Road map to data on a disk– Determines how data is stored on disk

• Become familiar with file systems


Understanding the Boot SequenceUnderstanding the Boot Sequence

• Avoid data contamination or modification

• Complementary Metal Oxide Semiconductor (CMOS)– Stores system configuration, data, and time

• BIOS– Performs input/output at hardware level


Understanding the Boot Sequence Understanding the Boot Sequence (continued)(continued)

• Make sure computer boots from a floppy disk– Modify CMOS– Accessing CMOS depends on the BIOS

• Delete key

• Ctrl+Alt+Insert

• Ctrl+A

• Ctrl+F1

• F2

• F12


Understanding the Boot Sequence Understanding the Boot Sequence (continued)(continued)


Understanding Disk DrivesUnderstanding Disk Drives

• Composed of one or more platters

• Elements of a disk:– Geometry– Head– Tracks– Cylinders– Sectors


Understanding Disk Drives (continued)Understanding Disk Drives (continued)



• Cylinder, head, sector (CHS) calculation– 512 bytes per sector– Tracks contain sectors– Number of bytes on a disk

• Cylinders (platters) x Heads (tracks) x sectors

• First track is track 0– So if a disc list 79 tracks (like a floppy) does, it has

80 tracks



• Zoned bit recording (ZBR)– Platter’s inner tracks are smaller than outer tracks– Group tracks by zone

• Track density– Space between each track

• Areal density– Number of bits on one square inch of a platter


Exploring Microsoft File StructuresExploring Microsoft File Structures

• Need to understand– FAT– NTFS

• Sectors are grouped on clusters– Storage allocation units of at least 512 bytes– Minimize read and write overhead

• Clusters are referred to as logical addresses

• Sectors are referred to as physical addresses


Disk PartitionsDisk Partitions

• Logical drive

• Hidden partitions or voids– Large, unused gaps between partitions– Also known as partition gaps– Can hide data

• Use a disk editor to change partitions table– Norton Disk Edit– WinHex, Hex Workshop– http://www.x-ways.net/winhex/index-m.html

http://www.x-ways.net/winhex/index-m.html


Disk Partitions (continued)Disk Partitions (continued)



• Disk editor additional functions– Identify OS on an unknown disk– Identify file types


Master Boot RecordMaster Boot Record

• Stores information about partitions– Location– Size– Others

• Software can replace master boot record (MBR)– PartitionMagic– LILO– Can interfere with forensics tasks– Use more than one tool


Examining FAT DisksExamining FAT Disks

• FAT was originally developed for floppy disks– Filenames, directory names, date and time stamps,

starting cluster, attributes

• Typically written to the outermost track

• Evolution– FAT12– FAT16– FAT32


Examining FAT Disks (continued)Examining FAT Disks (continued)



• Drive slack– Unused space on a cluster– RAM slack

• Can contain logon IDs and passwords

• Common on older systems

– File slack• Bytes not used on the sector by the file

• FAT16 unintentionally reduced fragmentation



• Cluster chaining– File clusters are together (when possible)

• Produces fragmentation

• Tools– Norton DiskEdit– DriveSpy’s Chain Fat Entry (CFE) command

• Rebuilding broken chains can be difficult


Deleting FAT FilesDeleting FAT Files

• Filename in FAT database starts with HEX E5

• FAT chain for that file is set to zero

• Free disk space is incremented

• Actual data remains on disk

• Can be recovered with computer forensics tools


Examining NTFS DisksExamining NTFS Disks

• First introduced with Windows NT

• Spin off HPFS– From IBM O/S 2

• Provides improvements over FAT file systems– Stores more information about a file

• Microsoft’s move toward a journaling file system– Keep track of transactions– Can be rolled back


Examining NTFS Disks (continued)Examining NTFS Disks (continued)

• Partition Boot Sector starts at sector 0

• Master File Table (MFT)– First file on disk– Contains information about all files on disk

(meta-data)

• Reduces slack space

• NTFS uses Unicode– UTF-8, UTF-16, UTF-32


Examining NTFS Disks (continued)Examining NTFS Disks (continued)


NTFS File AttributesNTFS File Attributes

• All files and folders have attributes

• Resident attributes– Stored in the MFT

• Nonresident attributes– Everything that can be stored on the MFT

• Uses inodes for nonresident attributes

• Logical and virtual cluster numbers– LCN and VCN


NTFS Data StreamsNTFS Data Streams

• Data can be appended to a file when examining a disk– Can obscure valuable evidentiary data

• Additional data attribute of a file

• Allow files be associated with different applications


NTFS Compressed FilesNTFS Compressed Files

• Improve data storage– Compression similar to FAT DriveSpace 3

• File, folders, or an entire volume can be compressed

• Transparent when working with Windows XP, 2000, or NT

• Need to decompress it when analyzing– Advanced tools do it automatically


NTFS Encrypted File System (EFS)NTFS Encrypted File System (EFS)

• Introduced with Windows 2000

• Implements a public key/private key encryption method

• Recovery certificate– Recovery mechanisms in case of a problem

• Works for local workstations or remote servers


Deleting NTFS FilesDeleting NTFS Files

• Similar to FAT

• NTFS is more efficient than FAT– Reclaiming deleted space– Deleted files are overwritten more quickly


Understanding the Windows RegistryUnderstanding the Windows Registry

• Database that stores:– Hardware and software configuration– User preferences (user names and passwords)– Setup information

• Use Regedit command for Windows 9x

• Use Regedt32 command for Windows XP and 2000

• FTK Registry Viewer


Understanding the Windows Registry Understanding the Windows Registry (continued)(continued)

• Windows 9x Registry– User.dat– System.dat

• Windows 2000 and XP Registry– \Winnt\System32\Config– \Windows\System32\Config– System, SAM, Security, Software, and NTUser.dat


Understanding the Windows Registry Understanding the Windows Registry (continued)(continued)


Understanding Microsoft Boot TasksUnderstanding Microsoft Boot Tasks

• Prevent damaging digital evidence

• OSs alter files when computer starts up


Windows XP, 2000 and NT StartupWindows XP, 2000 and NT Startup

• Steps:– Power-on self test (POST)– Initial startup– Boot loader– Hardware detection and configuration– Kernel loading– User logon


Startup Files for Windows XPStartup Files for Windows XP

• Files used during boot process:– NTLDR– Boot.ini– BootSec.dos– NTDetect.com– NTBootdd.sys– Ntoskrnl.exe– Hal.dll– Device drivers


Windows XP System FilesWindows XP System Files


Windows 9x and Me StartupWindows 9x and Me Startup

• Windows Me cannot boot to a true MS-DOS mode• Windows 9x OSs have two modes

– DOS protected-mode interface (DPMI)• Command prompt from boot menu

– Protected-mode GUI• Dos shell in windows

• Startup files– Io.sys– Msdos.sys– Command.com


Windows 9x and Me Startup Windows 9x and Me Startup (continued)(continued)


Understanding MS-DOS Startup TaskUnderstanding MS-DOS Startup Task

• Io.sys– Loaded after the ROM bootstrap– Finds the disk drive– Provides basic input/output services

• Msdos.sys– Loaded after Io.sys– Actual kernel for MS-DOS– Looks for Config.sys


Understanding MS-DOS Startup Task Understanding MS-DOS Startup Task (continued)(continued)

• Msdos.sys (continued)– Loads Command.com– Loads Autoexec.bat

• Config.sys– Commands run only at system startup

• Autoexec.bat– Customized setting for MS-DOS– Define default path and environmental variables


Other Disk Operating SystemsOther Disk Operating Systems

• Control Program for Microprocessors (CP/M)

• Digital Research Operating System (DR-DOS)

• Personal Computer Disk Operating System (PC-DOS)– Developed by IBM


DOS Commands and Batch FilesDOS Commands and Batch Files

• Batch files– Fixed sequence of DOS commands– Ideal for repetitive tasks

• Batch files work like a single command

• MS-DOS supports parameter passing and conditional execution– Can pass up to 10 parameters


DOS Commands and Batch Files DOS Commands and Batch Files (continued)(continued)


SummarySummary

• FAT– FAT12, FAT16, and FAT32

• Windows Registry keeps hardware and software configuration and preferences

• CHS calculation

• NTFS

• Look for hidden information on file, RAM, and drive slack


Summary (continued)Summary (continued)

• NTFS uses Unicode to store information

• Hexadecimal codes identify OSs and file types

• NTFS uses inodes to link file attribute records– Resident and nonresident

• NTFS compressed files

• NTFS encrypted files (EFS)

cos413day3

Education

forensics tasks

unknown disk

sure computer boots

boot sequenceunderstanding

microsoft boot tasks

file types

partitions location

sector tracks